How to Conduct Reference Checks with GDPR Compliance
Posted by David Haines in Human Resources
It’s here! The dreaded 25 May deadline meant that for months we heard about little else beyond that daunting four-letter acronym for months….G.D.P.R.
According to research by Lever, 61% of compliance professionals were “concerned about how the GDPR would impact their recruiting and hiring processes, including their methods for sourcing potential candidates.”
Now that it’s in place, here are the questions you should be asking of your reference checking process, to ensure data protection compliance.
1. Do you have candidate consent?
As soon as a candidate applies for a role, they must be aware of every background check you plan to take and provide consent for you to do so.
Of course, if they don’t give consent, you can terminate their application on the grounds that it is a requirement of your recruitment process.
In GDPR terms, consent is:
“Freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing”
2. Is the data you are collecting of “legitimate interest”?
GDPR guidelines outline a number of factors that deem a data gathering process of “legitimate interest”.
You must ensure the information you plan to collect;
informs a contractual decision
meets industry compliance
is in the public's interest
You should also be confident the process itself doesn’t go beyond reasonable privacy expectations - a breach could occur if a reference check includes questions that are personal, discriminatory or have little relation to an individual’s performance.
3. Are you destroying unnecessary data?
Data destruction is a major focus of the GDPR and something that sets it apart from previous data privacy directives.
It requires organisations to keep data only as long as they need to, and to delete it securely, completely and with evidence of having done so when necessary.
Candidates’ “right to be forgotten” means they can, at certain times, request that their data is deleted. This includes:
when the information is no longer required for its intended purpose
when the individual withdraws their consent
This means you may reasonably be asked to delete the reference checks of unsuccessful candidates but you should also be considering the necessity of all candidate data you hold and destroying any that could be deemed unnecessary.
4. Will you need to transfer data internationally?
GDPR does not restrict the transfer of data outside of the EU, but it does set boundaries on where and how data can be shared internationally.
Under the regulation, countries are divided into two groups:
Adequate countries - countries considered to ensure an adequate level of protection for personal data. Data transfers are permitted and legal.
“Non-adequate” countries - countries considered to offer inadequate levels of protection. International data transfers can only take place where organisations have safeguards for data protection in place.
If the EU Commission has decided a country’s level of data protection is not adequate, overseas transfers can still be made in some circumstances. In the case of reference checking, this might include when a candidate has been informed of the potential risks of the transfer and explicitly consents to you progressing with it.
We’re proud to offer the assurance of a fully GDPR compliant process, so our users don’t have to worry about the security of their reference checking data.
If you’d like to understand how we streamline and secure the reference checking process with automation, you can learn more about the platform here.
Discover how Xref can revolutionise referencing for your businessSpeak with us
- Get HR & Tech insights
- Be the first to know about Xref events
- Free downloadable content
What is Xref?
Xref is a secure, mobile-friendly reference checking platform that significantly reduces time-to-hire and helps protect against candidate fraud.